<!DOCTYPE html>

<html lang="en">
<script type="text/javascript" src="lib/jquery.min.2.1.4.js"></script>

<body>
	<div>
	<span>csrf poc</span>
	<form id="xssform" action="/csrf/form" method="POST">
	  <input id="data" type="text" name="input" value="haha">
	  <input id="btn" type="submit"/>
	  <input id="csrf" name="csrf_token" type="hidden" value="">
	</form>
	</div>
</body>
<script>
	$.get( "/csrf", function( data, status,xhr ) {
        $("#csrf").val(data);
    });

	$.get( "/csrfHeader", function( data, status,xhr ) {
        //同域的js可以获取响应头中的csrf_token信息
        console.log("csrf_token of Response Header:" + xhr.getResponseHeader("csrf_coken"));
        $("#csrf").val(xhr.getResponseHeader("csrf_coken"));
    });

</script>
</html>

